Microsoft Azure and CSP

UPD: This post is outdated. Use Azure CSP Documentation to get the latest updates about the limitations. Less and less left :)

In my previous post I've mentioned, that currently there are significant feature differences between Microsoft Azure, purchased via traditional channels (Direct, Open, EA), and Azure CSP. In this port I'll continue my CSP story and describe Azure CSP in details.

I've already wrote about 2 different Azure models - ASM and ARM, which use different portals and APIs for management. Some services are available only on "current portal" (ASM-based services), some services, especially new ones, appear only on "new portal" (ARM-based services). Additionally, some ASM services (like "classic" VMs) are available on the new Portal, and it confuses customers.

Azure CSP approach simplifies the experience for end customers, because only ARM-based services are available in it. More than 95% or revenue generating services are already available in CSP, so don't worry about VMs, vNets, Web Sites, SQL Azure etc. Azure CSP is great and can be used by most customers. But you need to understand the limitations.

Here are the limitations of Azure CSP subscriptions:

1. Only new portal is available for management. If an end user with Azure CSP subscription admin rights will try to log on to the current portal, he'll receive an error.

2. Only ARM services, ARP APIs and ARM PowerShell cmdlets are available. Services, which are managed on the current portal only, are not available in Azure CSP.

3. No "classic" deployment method is available. Compare New VM creation UI in traditional and CSP subscriptions.

4. 3rd party solutions in Azure Marketplace are limited only to that ones, which support "Bring your own license" model. You need to purchase the license for 3rd party Marketplace software somewhere else, and then use it for the 3rd party service, deployed in Azure.

Services, not available in Azure CSP

To get the most recent details about which services are available in Azure and which are not - just go to "Sales" page in the Partner Center portal and download "Release Notes" document for Azure Services in CSP. Current version was updated on 29th of February, less than a week ago.

Here is the high-level view:

*Portal UI is available for Site-to-Site VPN Gateway configurations
**Now it is available.

Azure Backup

Azure Backup is available in CSP via Azure PowerShell and ARM API. It is not available in the portal, but this will be changed soon. Currently Azure Backup management via UI is in Private Preview, which you can join. Instructions are available in the "Release Notes" document.

UPDATE: Azure Backup is now available via CSP. Details are here.

Azure Site Recovery

ASR management is available only via Azure PowerShell and ARP APIs. Also you can configure ASR via ASR Agent and VMM. ASR Management will added to the portal during next months.

UPDATE: Azure Site Recovery is now available via CSP. Details are here.

Azure Log Analytics

Azure Log Analytics (also called Operational Insights) is not available in Azure CSP yet. So customers need to purchase it as a part of OMS Suite, which is sold as an add-on to System Center licenses.

UPDATE: Azure Log Analytics is now available via CSP.

Azure RemoteApp

Azure RemoteApp is not available in Azure CSP yet. If a customer wishes to have similar functionality from Azure, then service provider can deploy Windows Server 2012 R2 RDS farm on Azure VMs.

Azure Active Directory

Full Azure AD management in not available for tenants directly on the portal. Check here for details. But Office 365 and Azure CSP use Azure AD as an identity provider inside. When CSP Direct partner or CSP Distributor create a new customer on ParnerCenter portal, a primary domain should be specified (*.onmicrosoft.com). For every new customer an Azure ID directory is being created automatically, named <primarydomain>.onmicrosoft.com.

The only sad thing - there is no Azure AD management UI available on the new portal, and you can't access current portal to manage this directory. On new portal you'll see this picture:

Of course, you can manage this Azure AD through Office 365 admin portal - create new users, manage permissions, configure the integration with On-Premise AD. This will enough for the most customers.

If you need full Azure AD management capabilities, there is a workaround. First, you can try to use this link to access old Azure portal for Azure AD management purposes only. But sometimes it doesn't work. In such cases use the following workaround.

1. Logon to Current Azure Portal using an account with a traditional Azure subscription. It can be free Azure trial subscription, MSDN Subscription (which is available to all SilverGold Microsoft Partners) or any paid subscription.

2. Click +New -> App Services -> Active Directory -> Directory.

3. Choose "Use existing directory" and click "I am ready to be signed out now."

4. You will be logged out. Login using any user, that has Global Administrator rights to the Azure AD directory, that you want to add. For my case it can be admin@kotlyarenko.onmicrosoft.com (user, that was created during New Customer creation on Partner Center) or kirill@kotlyarenko.com (user, that I've created on Office 365 admin portal and assigned Global Admin rights).

5. After that your Azure subscription admin will be added to this directory with Global Admin rights.

6. That's all, logon back with your Azure subscription admin credentials and you'll be able to fully manage this directory.

Important - all paid Azure AD features will be charged from your traditional Azure subscription, not from Azure CSP. So if your customer wishes to use multi-factor authentication, rich reports, advanced self-service features or other Azure AD Premium features, they must buy Azure AD Premium per-user subscription via CSP. It is available as a standalone license or as part of Enterprise Mobility Suite (EMS). Don’t forget to assign these licenses to users:

BTW, all main Azure services and features will be migrated to the new portal during the next year, so don't worry about these issues and challenges in long-term.

Management of Azure services in CSP Direct

CSP Direct partners can use Partner Center portal to manage customer service subscriptions.

By default, CSP Direct partner is the only owner or customer's Azure subscription. He can add other users as owners, readers, contributors etc. to the tenant's subscription.

For example, he can specify customer's Microsoft ID or another account, such as Office 365 e-mail.

Service Provider can offer fully managed Azure-based services (e.g. service provider creates VMs and configures everything), or he can delegate Azure management responsibilities to customer's IT guys or even to an outsourcing organization.

I've recently posted a full list of Azure services, currently available in CSP.

Management of Azure services in CSP Indirect

In CSP Indirect model it depends on the used management panel and process automation, which is unique for every CSP Distributor.

By default, CSP Distributor creates a new customer on Partner Center portal and assigns him Microsoft Azure subscription. After that, CSP Distributor can assign other users with Owner rights to this subscription on New Azure Portal. Procedure is the same, as described above for CSP Direct. It can be customer's account or CSP Indirect partner account.

If you need more information about Azure in CSP - look at "Azure CSP in a Box" . It covers technical aspects (API, pre-sales, administration) and business scenarios. It is a very valuable resource regarding Azure in CSP.